HQ/EMEAFind out how we can help your business
The notorious North Korean-backed cybercriminal organisation Kimsuky uses a custom-built RDP Wrapper in its latest campaign.
The group also pairs this tactic with proxy tools to acquire direct access to infected networks. Researchers also claim that this new activity from this particular group shows that they have shifted their infection tactics.
North Korean hackers now utilise various specialised remote access tools rather than noisy backdoors such as PebbleDash, which are still in use. The current infection chain begins with a spear-phishing email with a malicious shortcut file attachment disguised as a PDF or Word document.
The emails include the recipient’s identity and the proper firm names, indicating that Kimsuky conducted reconnaissance before the attack. Opening the file causes PowerShell or Mshta to retrieve additional payloads from an external server, including PebbleDash, a customised version of the open-source RDP Wrapper utility, and proxy tools for circumventing private network limitations.
Kimsuky uses RDP Wrapper to use Remote Desktop Protocol on unsupported devices.
According to investigations, Kimsuky used a custom-built RDP Wrapper since it is a valid open-source program that enables Remote Desktop Protocol (RDP) capability on Windows versions that do not natively support it.
It functions as a middle layer, allowing users to enable remote desktop connections without changing system files. Kimsuky’s version adjusted export functions to bypass AV detection, and its behaviour is likely distinct enough to avoid signature-based detection.
The primary benefit of employing a custom RDP Wrapper is detection evasion, as RDP connections are frequently viewed as legitimate, allowing Kimsuky to remain under the radar for longer.
Furthermore, it offers a more comfortable GUI-based remote control than shell access via malware, and it can overcome firewalls or NAT constraints using relays, allowing RDP access from the outside.
Once these hackers establish persistence on a targeted network, they can then dump secondary payloads. Some of these payloads include a keylogger that records keystrokes and saves them to text files in system directories, an infostealer that extracts credentials saved in web browsers, and a PowerShell-based ReflectiveLoader that allows in-memory payload execution.
Kimsuky continues to be a persistent and evolving threat despite transitioning to another tactic. It remains one of North Korea’s most active cyberespionage threat groups focusing on intelligence gathering.
